Security Ethical Challenges MIS

8/3/2019 Security Ethical Challenges MIS

http://slidepdf.com/reader/full/security-ethical-challenges-mis 1/61

Security and Ethical

Challenges

James A. O'Brien, and George Marakas.Management Information Systems with MISource2007, 8th ed. Boston, MA: McGraw-Hill, Inc.,2007. ISBN: 13 9780073323091



Learning Objectives

Identify several ethical issues in how the use ofinformation technologies in business affects:employment, individuality, working conditions,Privacy, crime, health, and solutions to societal

problems Identify several types of security management

strategies and defenses, and explain how they canbe used to ensure the security of business

applications of information technology Propose several ways that business managers and

professionals can help to lessen the harmful effectsand increase the beneficial effects of the use of IT

2



Case 1 Cyberscams and

Cybercriminals Cyberscams are today’s fastest-growing

criminal niche

87 percent of companies surveyed reporteda security incidentThe U.S. Federal Trade Commission says

identity theft is its top complaint

eBay has 60 people combating fraud;Microsoft has 65

Stolen credit card account numbers areregularly sold online

3



Case Study Questions What are several reasons why “cyberscams are today’s

fastest-growing criminal niche”? Explain why the reasons you give contribute to the growth

of cyberscams What are several security measures that could be

implemented to combat the spread of cyberscams? Explain why your suggestions would be effective in limiting

the spread of cyberscams Which one or two of the four top cybercriminals described in

this case poses the greatest threat to businesses? Toconsumers? Explain the reasons for your choices, and how businesses

and consumers can protect themselves from thesecyberscammers

4



IT Security, Ethics, and Society

5

IT has both beneficialand detrimentaleffects on society andpeopleManage work

activities tominimize thedetrimental effects

of ITOptimize the

beneficial effects



Business Ethics

Ethics questions that managers confront as partof their daily business decision making include:Equity

RightsHonestyExercise of corporate power

6



Categories of Ethical Business

Issues

7



Corporate Social Responsibility

Theories Stockholder Theory Managers are agents of the stockholders Their only ethical responsibility is to increase the profits of

the business without violating the law or engaging in

fraudulent practices Social Contract Theory

Companies have ethical responsibilities to all members ofsociety, who allow corporations to exist

Stakeholder Theory

Managers have an ethical responsibility to manage a firmfor the benefit of all its stakeholders

Stakeholders are all individuals and groups that have astake in, or claim on, a company

8



Principles of Technology Ethics Proportionality - The good achieved by the technology must

outweigh the harm or risk; there must be no alternative thatachieves the same or comparable benefits with less harm orrisk

Informed Consent - Those affected by the technology should

understand and accept the risks Justice

The benefits and burdens of the technology should bedistributed fairly

Those who benefit should bear their fair share of the risks,

and those who do not benefit should not suffer a significantincrease in risk

Minimized Risk - Even if judged acceptable by the other threeguidelines, the technology must be implemented so as toavoid all unnecessary risk

9



AITP Standards of Professional

Conduct

10



Responsible Professional

Guidelines A responsible professionalActs with integrity

Increases personal competenceSets high standards of personal performanceAccepts responsibility for his/her workAdvances the health, privacy, and general

welfare of the public

11



Computer Crime

Computer crime includesUnauthorized use, access, modification, or

destruction of hardware, software, data, ornetwork resources

The unauthorized release of informationThe unauthorized copying of softwareDenying an end user access to his/her own

hardware, software, data, or network resourcesUsing or conspiring to use computer or

network resources illegally to obtaininformation or tangible property

12



Cybercrime Protection Measures

13



Hacking Hacking isThe obsessive use of computersThe unauthorized access and use of networked

computer systems Electronic Breaking and EnteringHacking into a computer system and reading

files, but neither stealing nor damaging anything

CrackerA malicious or criminal hacker who maintains

knowledge of the vulnerabilities found forprivate advantage

14



Common Hacking Tactics

Denial of Service Hammering a website’s equipment with too many requests for

information Clogging the system, slowing performance, or crashing the site

Scans Widespread probes of the Internet to determine types of

computers, services, and connections Looking for weaknesses

Sniffer Programs that search individual packets of data as they pass

through the Internet

Capturing passwords or entire contents Spoofing

Faking an e-mail address or Web page to trick users intopassing along critical information like passwords or credit cardnumbers

15




Trojan House A program that, unknown to the user, contains instructions thatexploit a known vulnerability in some software

Back Doors A hidden point of entry to be used in case the original entry

point is detected or blocked Malicious Applets

Tiny Java programs that misuse your computer’s resources,

modify files on the hard disk, send fake email, or stealpasswords

War Dialing

Programs that automatically dial thousands of telephonenumbers in search of a way in through a modem connection

Logic Bombs An instruction in a computer program that triggers a malicious

act

16




Buffer Overflow Crashing or gaining control of a computer by sending too muchdata to buffer memory

Password Crackers Software that can guess passwords

Social Engineering Gaining access to computer systems by talking unsuspecting

company employees out of valuable information, such aspasswords

Dumpster Diving Sifting through a company’s garbage to find information to help

break into their computers

17



Cyber Theft

Many computer crimes involve the theft ofmoney

The majority are “inside jobs” that involve

unauthorized network entry and alternation ofcomputer databases to cover the tracks of theemployees involved

Many attacks occur through the Internet

Most companies don’t reveal that they havebeen targets or victims of cybercrime

18



Unauthorized Use at Work

Unauthorized use of computer systems andnetworks is time and resource theft

Doing private consulting

Doing personal financesPlaying video gamesUnauthorized use of the Internet or company

networks

SniffersUsed to monitor network traffic or capacityFind evidence of improper use

19



Internet Abuses in the WorkplaceGeneral email abusesUnauthorized usage and accessCopyright infringement/plagiarismNewsgroup postingsTransmission of confidential dataPornographyHacking

Non-work-related download/uploadLeisure use of the InternetUse of external ISPsMoonlighting

20



Software Piracy

Software PiracyUnauthorized copying of computer programs

LicensingPurchasing software is really a payment

for a license for fair useSite license allows a certain number of copies

21

A third of the softwareindustry’s revenues are

lost to piracy



Theft of Intellectual Property

Intellectual PropertyCopyrighted material Includes such things as music, videos,

images, articles, books, and software Copyright Infringement is IllegalPeer-to-peer networking techniques have

made it easy to trade pirated intellectualproperty

Publishers Offer Inexpensive Online Music Illegal downloading of music and video is

down and continues to drop

22



Viruses and Worms

A virus is a program that cannot work withoutbeing inserted into another programA worm can run unaided

These programs copy annoying or destructive

routines into networked computersCopy routines spread the virus

Commonly transmitted throughThe Internet and online servicesEmail and file attachmentsDisks from contaminated computersShareware

23



Top Five Virus Families of all Time

My Doom, 2004 Spread via email and over Kazaa file-sharing network Installs a back door on infected computers Infected email poses as returned message or one that can’t be

opened correctly, urging recipient to click on attachment Opens up TCP ports that stay open even after termination of

the worm Upon execution, a copy of Notepad is opened, filled with

nonsense characters Netsky, 2004

Mass-mailing worm that spreads by emailing itself to all email

addresses found on infected computers Tries to spread via peer-to-peer file sharing by copying itself

into the shared folder It renames itself to pose as one of 26 other common files along

the way

24



Top Five Virus Families of all Time SoBig, 2004

Mass-mailing email worm that arrives asan attachment Examples: Movie_0074.mpg.pif, Document003.pif

Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking foremail addresses to which it can send itself

Also attempts to download updates for itself Klez, 2002

A mass-mailing email worm that arrives with a randomly namedattachment

Exploits a known vulnerability in MS Outlook to auto-execute on

unpatched clients Tries to disable virus scanners and then copy itself to all local

and networked drives with a random file name Deletes all files on the infected machine and any mapped

network drives on the 13th of all even-numbered months

25



Top Five Virus Families of all Time Sasser, 2004

Exploits a Microsoft vulnerability to spread from computer tocomputer with no user intervention

Spawns multiple threads that scan local subnets forvulnerabilities

26



The Cost of Viruses, Trojans,

Worms Cost of the top five virus familiesNearly 115 million computers in 200 countries

were infected in 2004Up to 11 million computers are believed to

be permanently infected In 2004, total economic damage from virus

proliferation was $166 to $202 billionAverage damage per computer is between

$277 and $366

27



Adware and Spyware

AdwareSoftware that purports to serve a useful

purpose, and often doesAllows advertisers to display pop-up and

banner ads without the consent of thecomputer users

SpywareAdware that uses an Internet connection in

the background, without the user’s permissionor knowledge

Captures information about the user andsends it over the Internet

28



Spyware Problems

Spyware can steal private information and alsoAdd advertising links to Web pagesRedirect affiliate paymentsChange a users home page and search settingsMake a modem randomly call premium-rate

phone numbersLeave security holes that let Trojans in

Degrade system performance Removal programs are often not completely

successful in eliminating spyware

29



Privacy Issues

The power of information technology to storeand retrieve information can have a negativeeffect on every individual’s right to privacy

Personal information is collected with everyvisit to a Web siteConfidential information stored by credit

bureaus, credit card companies, and the

government has been stolen or misused

30



Opt-in Versus Opt-out

Opt-InYou explicitly consent to allow data to be

compiled about youThis is the default in Europe

Opt-OutData can be compiled about you unless you

specifically request it not beThis is the default in the U.S.

31



Privacy Issues Violation of Privacy

Accessing individuals’ private email conversations and

computer records Collecting and sharing information about individuals gained

from their visits to Internet websites

Computer Monitoring Always knowing where a person is Mobile and paging services are becoming more closely

associated with people than with places Computer Matching

Using customer information gained from many sources tomarket additional business services Unauthorized Access of Personal Files

Collecting telephone numbers, email addresses, credit cardnumbers, and other information to build customer profiles

32



Protecting Your Privacy on the

Internet There are multiple ways to protect your privacyEncrypt emailSend newsgroup postings through

anonymous remailersAsk your ISP not to sell your name and

information to mailing list providers and

other marketersDon’t reveal personal data and interests on

online service and website user profiles

33



Privacy Laws Electronic Communications Privacy Act

and Computer Fraud and Abuse Act Prohibit intercepting data communications messages, stealing or

destroying data, or trespassing in federal-related computersystems

U.S. Computer Matching and Privacy Act Regulates the matching of data held in federal agency files to

verify eligibility for federal programs Other laws impacting privacy and how

much a company spends on compliance Sarbanes-Oxley

Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley USA Patriot Act California Security Breach Law Securities and Exchange Commission rule 17a-4

34



Computer Libel and Censorship The opposite side of the privacy debate…

Freedom of information, speech, and press Biggest battlegrounds - bulletin boards, email boxes, and

online files of Internet and public networks

Weapons used in this battle – spamming, flame mail,libel laws, and censorship Spamming - Indiscriminate sending of unsolicited email

messages to many Internet users Flaming

Sending extremely critical, derogatory, and oftenvulgar email messages or newsgroup posting to otherusers on the Internet or online services

Especially prevalent on special-interest newsgroups

35



Cyberlaw Laws intended to regulate activities over the Internet or via

electronic communication devices Encompasses a wide variety of legal and political issues Includes intellectual property, privacy, freedom of

expression, and jurisdiction The intersection of technology and the law is controversial

Some feel the Internet should not be regulated Encryption and cryptography make traditional form of

regulation difficult The Internet treats censorship as damage and simply

routes around it Cyberlaw only began to emerge in 1996

Debate continues regarding the applicability of legalprinciples derived from issues that had nothing to do withcyberspace

36



Other Challenges Employment

IT creates new jobs and increases productivity It can also cause significant reductions in job opportunities, as well as

requiring new job skills Computer Monitoring

Using computers to monitor the productivity and behavior of employees asthey work

Criticized as unethical because it monitors individuals, not just work, and isdone constantly

Criticized as invasion of privacy because many employees do not knowthey are being monitored

Working Conditions IT has eliminated monotonous or obnoxious tasks

However, some skilled craftsperson jobs have been replaced by jobsrequiring routine, repetitive tasks or standby roles

Individuality Dehumanizes and depersonalizes activities because computers eliminate

human relationships Inflexible systems

37



Health Issues

Cumulative Trauma Disorders (CTDs)Disorders suffered by people who sit at a

PC or terminal and do fast-paced repetitivekeystroke jobs

Carpal Tunnel SyndromePainful, crippling ailment of the hand

and wristTypically requires surgery to cure

38



Ergonomics

Designing healthywork environments Safe, comfortable,

and pleasant for

people to work in Increases

employee moraleand productivity

Also called human

factors engineering

39

Ergonomics Factors



Societal Solutions

Using information technologies to solve humanand social problemsMedical diagnosisComputer-assisted instruction

Governmental program planningEnvironmental quality controlLaw enforcementJob placement

The detrimental effects of ITOften caused by individuals or organizations

not accepting ethical responsibility for theiractions

40



Security Management of IT

The Internet was developed for inter-operability,not impenetrabilityBusiness managers and professionals alike

are responsible for the security, quality, and

performance of business information systemsHardware, software, networks, and data

resources must be protected by a varietyof security measures

41



Case 2 Data Security Failures

Security Breach Headlines Identity thieves stole information on 145,000

people from ChoicePointBank of America lost backup tapes that held

data on over 1 million credit card holdersDSW had its stores’ credit card data

breached; over 1 million had been accessed

Corporate America is finally owning up to a long-held secret It can’t safeguard its most valuable data

42



Case Study Questions

Why have there been so many recent incidentsof data security breaches and loss of customerdata by reputable companies?

What security safeguards must companies have

to deter electronic break-ins into their computernetworks, business applications, and dataresources like the incident at Lowe’s?

What security safeguards would have deterred

the loss of customer data at TCI

Bank of America

ChoicePoint?43



Security Management

The goal of securitymanagement is theaccuracy, integrity,

and safety of allinformation systemprocesses andresources

44



Internetworked Security Defenses

EncryptionData is transmitted in scrambled form It is unscrambled by computer systems for

authorized users onlyThe most widely used method uses a pair of

public and private keys unique to eachindividual

45



Public/Private Key Encryption

46




FirewallsA gatekeeper system that protects a

company’s intranets and other computer

networks from intrusionProvides a filter and safe transfer point for

access to/from the Internet and othernetworks

Important for individuals who connect to theInternet with DSL or cable modems

Can deter hacking, but cannot prevent it

47



Internet and Intranet Firewalls

48



Denial of Service Attacks

Denial of service attacks depend on threelayers of networked computer systemsThe victim’s website The victim’s Internet service provider

Zombie or slave computers that have beencommandeered by the cybercriminals

49



Defending Against Denial of Service

At Zombie MachinesSet and enforce security policiesScan for vulnerabilities

At the ISP

Monitor and block traffic spikes At the Victim’s Website Create backup servers and network

connections

50




Email MonitoringUse of content monitoring software that scans

for troublesome words that might compromisecorporate security

Virus DefensesCentralize the updating and distribution of

antivirus softwareUse a security suite that integrates virus

protection with firewalls, Web security,and content blocking features

51



Other Security Measures Security Codes

Multilevel password system Encrypted passwords

Smart cards with microprocessors

Backup Files

Duplicate files of data or programs

Security Monitors Monitor the use of computers and networks

Protects them from unauthorized use, fraud, and destruction

Biometrics Computer devices measure physical traits that make each

individual unique Voice recognition, fingerprints, retina scan

Computer Failure Controls Prevents computer failures or minimizes its effects Preventive maintenance Arrange backups with a disaster recovery organization

52



Other Security Measures In the event of a system failure, fault-tolerant systems have

redundant processors, peripherals, and software that provide Fail-over capability: shifts to back up components Fail-save capability: the system continues to operate at the

same level Fail-soft capability: the system continues to operate at a

reduced but acceptable level A disaster recovery plan contains formalized procedures to follow

in the event of a disaster Which employees will participate What their duties will be

What hardware, software, and facilities will be used Priority of applications that will be processed Use of alternative facilities Offsite storage of databases

53



Information System Controls

Methods anddevices thatattempt toensure theaccuracy,validity, andpropriety ofinformation

systemactivities

54



Auditing IT Security

IT Security AuditsPerformed by internal or external auditorsReview and evaluation of security measures

and management policiesGoal is to ensure that that proper and

adequate measures and policies are in place

55



Protecting Yourself from

Cybercrime

56



Case 3 Managing Information

Security OCTAVE Security Process MethodologyRisk Evaluation

Self-direction by people in the organization Adaptable measures that can change with technology A defined process and standard evaluation

procedures A foundation for a continual process that improves

security over time

Risk Management A forward-looking view A focus on a “critical few” security issues Integrated management of security policies and

strategies57



Case 3 Managing Information

SecurityOrganizational and Cultural

Open communication of risk information

and activities build around collaborationA global perspective on risk in the context

of the organization’s mission and business

objectives

Teamwork

58



Case Study Questions

What are security managers doing to improveinformation security?

How does the OCTAVE methodology work

to improve security in organizations? What does Lloyd Hession mean when he says

information security is “not addressed simply by

the firewalls and antivirus tools that are already

in place”?

59



Case 4 Maintaining Software

Security Security professionals have 7 to 21 days before

hacker’s tools used to exploit the most recent

vulnerabilities become available on the InternetMicrosoft’s monthly patch-release date is

known as “Patch Tuesday” Security software companies go to work

immediately to update their productsUpdate must be thoroughly tested beforebeing deployed

60



Case Study Questions What types of security problems are typically

addressed by a patch-management strategy?Why do such problems arise in the first place?

What challenges does the process of applying

software patches and updates pose for manybusinesses?What are the limitations of the patching

process?

Does the business value of a comprehensivepatch-management strategy outweigh its costs,its limitations, and the demands it placed on theIT function?

Security Ethical Challenges MIS

Documents